www.ischool.drexel.edu info 331 computer networking technology ii chapter 8 security dr. jennifer...

www.ischool.drexel.edu

INFO 331Computer Networking

Technology II Chapter 8

Security

Dr. Jennifer Booker

1INFO 331 Chapter 8


Security in Networks

• Any two nodes (hosts, routers, etc.) might need to exchange data securely– Secure email, transfer routing tables, military

secrets, private data (SSN, Visa), DNS servers, etc. all need secure communication

• Security has many aspects– End-point Authentication: If Bob and Carol

are communicating, how do they know it’s really Bob and Carol?

2INFO 331 Chapter 8


Security in Networks

– Confidentiality: How do we keep others from reading their exchange? Encrypted content.

– Message integrity: How do we ensure a message isn’t changed en route?

– Nonrepudiation: How can we prove a message was sent be a specific sender?

– Operational security: How do we protect the network infrastructure from things like denial of service (DoS) attacks or hackers?

3INFO 331 Chapter 8


Basic Defense Strategy

• In any kind of security approach, we need to consider three aspects in our strategy– Prevent: Protect the network to make it

harder for an attack to take place– Detect: How do you know if you’ve

been attacked?• Often very difficult in networking

– Mitigate: As or after an attack happens, how do you minimize the damage it did?

4INFO 331 Chapter 8


Non-network Example

• Consider the problem of a bomb on a plane– Prevent: might prevent the problem by 1) scanning

luggage and passengers, 2) requiring security checks for airport employees, and 3) controlling access to planes on the ground

– Detect: detect the problem by 1) a bomb going off, or 2) someone identifying they have a bomb

– Mitigate: Reduce damage by 1) reducing altitude before the bomb goes off, 2) design the plane to avoid duplicate systems next to each other

5INFO 331 Chapter 8


Non-network Example

• This illustrates some important principles– Security costs effort and money– Security is often inconvenient, even annoying

• Security measures often directly reduce productivity

– Security often affects systems beyond the immediately obvious ones

– Design of the system is often affected by security risks, even if they are rare events

6INFO 331 Chapter 8


Security vs classification

• In discussing security, the notion of classification (e.g. Confidential, Secret, Top Secret, etc.) can emerge

• Systems to handle classified material are known as ‘trusted’ systems – look for that keyword– Often based on old standards such as the

Rainbow Series’ Orange Book

7INFO 331 Chapter 8


Passive Intruder

• Going back to Bob and Carol, what happens if someone is listening to their exchange?

• A passive intruder could– Eavesdrop – listen to and record the

secure exchange– Modify, insert, or delete messages that

Bob and Carol were trying to exchange– Could lead to stealing data, impersonating another

user, hijacking a session or causing DoS

8INFO 331 Chapter 8


Cryptography

• Codes for communication go back millennia• There are tons of resources on the subject:

– RSA, NIST Computer Security Resource Center– The CERT Coordination Center

• A plain (or clear) text message (e.g. “Sell IBM stock now!”) is encrypted into cipher text (which is illegible) using an encryption algorithm, KA

– The key is an input to the algorithm (= cipher)– (Plain text + key) via algorithm ciphertext

9INFO 331 Chapter 8


Cryptography

• At the receiving end, the cipher text is turned back into plain text using a decryption algorithm, KB)

plaintext plaintextciphertext

KA

encryptionalgorithm

decryption algorithm

Alice’s encryptionkey

Bob’s decryptionkey

KB

plaintext plaintextciphertext

KA

KA

encryptionalgorithm


Alice’s encryptionkey

Bob’s decryptionkey

KB

KB

10INFO 331 Chapter 8


Keys

• A key is a string of characters, numbers, and other ASCII symbols that feeds into the encryption and decryption algorithms

• The longer the key (in bits), the harder it is to break– DES uses a 56-bit key (obsolete)– Triple DES uses 168-bit– AES use up to 256-bit keys– RSA and PGP use up to 4096-bit keys



Keys

• There are two major encryption approaches – symmetric key and public key

• Symmetric key means that KA = KB – The same key is used by both sender

and receiver

• Public key encryption requires a public key that anyone can know, plus different private keys for sender and receiver– Public key requires longer keys for equal security



Block vs Stream

• Another is whether each character is coded individually (stream cipher), or a group of characters are coded together (block cipher)– Stream cipher examples include Caesar’s

code, the WWII Enigma machine, and WEP (Wired Equivalent Privacy)

– Block ciphers are very common (AES, RSA, etc.)

• Block sizes are typically 64 or 128 bits



Cipher-Block Chaining (CBC)

• Repeated phrases, like ‘HTTP/1.1’ produce the same string when encrypted, making it easier to guess their meaning– Send a 64-bit Initialization Vector (IV) first– Encrypt and send (first block of text XOR IV)– For each subsequent block, encrypt and send

(previous block XOR current clear text)

• This keeps duplicate blocks from appearing that way



Key Breaking Approaches

• There are three ways to approach breaking an encrypted message– Cipher-text-only attack – you only have the

ciphertext, and little or no clue what it contains– Known-plaintext attack – when some of the

message contents are known, such as certain names, words or phrases that should appear

– Chosen-plaintext attack – when you can feed text (‘The quick brown fox jumps over the lazy dog’) into the cipher, and see what it produces



Symmetric Key Crypto

• The Caesar cipher was very simple

• Just move the alphabet down some number of characters, ‘k’– A G (for k = 6)– Then B H, C I, D J, etc.– Wrap around when you get to T Z, U A

• If you know this is the type of cipher, there are only 25 different possible keys!




• Improve on this with a monoalphabetic cipher

• Each letter corresponds to some other letter, but they aren’t in order– A V, B L, C R, or whatever

• This makes 26! (= 4.03E26 or 4.03x1026) key combinations in theory, but patterns of common words make it a lot easier to break than that would suggest




• Improve on the Caesar cipher with a polyalphabetic cipher (encryption)

• Use multiple ciphers in a fixed pattern throughout the message, such as two Caesar ciphers with different offsets (k values)– E.g. follow a pattern of “C1 C2 C2 C1 C2”

where C1 uses k=5 and C2 uses k=19– Hence need to know pattern and k values



DES

• The Data Encryption Standard (DES) was invented in 1977, and updated in 1993– It is symmetric, uses 64-bit blocks, and nominally

a 64-bit key– Ok, only 56 bits of the key are usable – the rest is

for parity checks 2^56 = 72E15 possible keys

• How DES works is very messy– The 64 bits in a block are permuted, go through 16

cycles of math operations, and get permuted again at the end



DES

• Each of the 48-bit keys (K1 to K16) are different parts of the overall 56-bit key



DES Code-Breaking Tests

• In 1997 it took under four months to break a DES-encrypted message by brute force (keep trying keys until one works) – In February 1998 it took 41 days– In July 1998 it took 56 hours– In January 1999 it took 22.25 hours, though

using nearly 100,000 PC’s



Triple-DES

• Ok, so DES isn’t perfect

• Triple-DES (3DES) runs DES three times with different keys– Makes for a 168-bit key!– Used for PPP encryption



AES

• The Advanced Encryption Standard (AES) was proposed in 2001 to replace DES– Uses symmetric encryption with 128-bit

blocks– Keys can be 128, 192, or 256 bits long

• NIST claims if a computer could crack 56-bit DES in one second, it would take 149 trillion years to break 128-bit AES



AES

• AES, 3DES, and Skipjack are all recognized Federal Information Processing Standards (FIPS)– Skipjack was used on the Clipper chip for

hardware security; uses a 64-bit key from an 80-bit cryptovariable



Public Key Encryption

• So all this symmetric key stuff is good, but how to you exchange the keys securely?

• Easier if we can show part of our key publicly

• First public key approach was the 1976 Diffie-Hellman Key Exchange algorithm– Sender and receiver have public keys– Each receiver also uses a private key

to decrypt a message




plaintextmessage, m

ciphertextencryptionalgorithm


Bob’s publickey

plaintextmessageK (m)

B+

K B+

Bob’s privatekey

K B-

m = K (K (m))B+

B-

plaintextmessage, m

ciphertextencryptionalgorithm


Bob’s publickey

plaintextmessageK (m)

B+K (m)B+

K B+

Bob’s privatekey

K B-

m = K (K (m))B+

B-

m = K (K (m))B+

B-

Why does this provide confidentiality?




• Two main concerns with public key ciphers– An intruder can easily know a receiver’s

public key, and the encryption method, so a chosen-plaintext attack is possible

– Hence private keys, and verifying the sender of a message are critical – the digital signature

• The best known public key algorithm is RSA– Named for Rivest, Shamir, and Adleman



RSA

• RSA works like this– Pick two large prime numbers, p and q– Want pq> 1024 for corporate use, pq>768 for

lesser security– Let n = pq, and z = (p-1)(q-1)– Choose e < n which has no factors in

common with z– Find d such that (ed-1)/z is an integer– The public key is (n,e); the private key is (n,d)



RSA

• To use this, take a plaintext message m

• The ciphertext is c = (m^e)*mod (n) – This is the integer remainder when m^e is

divided by n

• The receiver gets c, and decodes the message using m = (c^d) mod n

• So n and e are used for encryption; n and d are used for decryption



RSA

• So the theory isn’t too weird, just tedious because of the large numbers involved

• Finding large prime numbers is a critical element of many crypto schemes – RSA is no exception

• Also important is how to choose d and e

• Such issues are beyond our scope here



RSA vs DES

• RSA is 100 times slower than DES in software, and 1000 to 10,000 times slower than DES in hardware– Hence RSA is often used with DES or AES

• For example, a DES session key KS can be sent via public RSA key, and then the rest of the transmission can be done using DES (key concept!!)



Why does RSA work?

• The trick is that p and q are prime, so– 1 = mod (p-1)(q-1) = mod z

• And we chose ed so that (ed-1)/z has no remainder, hence ed mod (z) = 1

• Encryption followed by decryption of message m therefore gives– (m^e)^d = m^1 mod n = m (the original

message)



RSA

• RSA also works because there is no fast way (yet?) to factor a large number n into the primes p and q

• If you could do that, the private key d could be determined from the public key e, and RSA would be sunk



Message Integrity

• In our legal system, a competent adult can use their written signature to affirm a contract– Whether paying for lunch on a credit card, or signing

a law into existence, the effect is similar

• A digital signature does the same thing online• Need to verify that the signature came from the

person claimed, and only that person– Need it verifiable, non-forgeable and not alterable– Use public key crypto to do this



Digital Signature

• For Fred to sign a message, m, he applies his private key to encrypt the message– The result is the signed message

• To recover the message, apply his public key

• Yes, this is the reverse of the way to send an encrypted message – Which was use the public key to create cipher

text, then use the private key to decode it



Digital Signature

• Why does this work backward?– The application of public and private keys is

just math operations – in this case, doing them in either order results in recovering the original message

• Since only Fred knows his private key (we hope!), that proves the message was generated by him– Lesson: Don’t share a private key – EVER!!!



Message Digests

• Digital signatures are very computationally expensive

• Want a way for large volumes of data to verify the sender of a message, and make sure the data wasn’t changed

• A message digest does this, while being cheaper than a full blown digital signature– A message digest is a cryptographic hash

function, like checksums and CRC codes



Message Digests

• To create a message digest– For a message, m, compute the hash

function H(m)– Sign H(m) with your private key, KB

-(H(m))– Send the unaltered message, m, with the

encoded hash function

• The recipient applies the public key KB

+( KB-( H(m) ) ) to recover the hash

function that came with the message



Message Digests

• The recipient evaluates the hash function with the message received – If the message’s hash function agrees with the hash

function they calculate for the message, it proves the message wasn’t altered

• A hash function creates a string of fixed size– Must be infeasible to get the same hash function for

any two input messages H(m) = H(n)– Consider it like a really fancy checksum



Message Digests

• To improve on this approach, create the hash of the message (m) AND a secret authentication key (s)– H(m+s) = a Message Authentication Code,

MAC– [This MAC is unrelated to the link layer MAC

address]

• HMAC (noted later) is a popular standard for generating MACs Is a MAC encrypted?



Message Digests

• So two mechanisms are used in the message digest– The application of private and public keys is

used “to verify the sender of a message” – The hash function is used to “make sure the

data wasn’t changed”

• The MD5 algorithm (Ron Rivest) is widely used for creating 128-bit message digests– See RFC 1864, if really bored on a long flight



Message Digests

• If MD5 isn’t good enough for you, try SHA-1, which has a 160-bit message digest– Based on MD4 (which preceded MD5)– Stands for Secure Hash Algorithm, defined by

FIPS 180-2– SHA can handle message sizes up to 264 or

2128 bits (that’s 1.8E19 or 3.4E38 bits)

• Still not secure enough?– SHA-2 has up to 680-bit message digests



Key Distribution & Certification

• Both symmetric and public key crypto desperately need to control access to keys

• They require a trusted intermediary – For symmetric key crypto, that role is the Key

Distribution Center (KDC)• MIT’s Kerberos is a classic example

– For public key crypto, that role is the Certification Authority (CA)



Key Distribution Center (KDC)

• Two people (Alice, Bob) on a public network can use symmetric key crypto via a KDC

• Each user has a personal secret key registered with the KDC

• Here call them KA-KDC and KB-KDC – Alice uses her secret key to tell the KDC she wants

to talk to Bob– The KDC sends her a one-time session key, R1,

and that key coded using Bob’s secret key (!)




– Alice now knows the one-time session key, and sends the encrypted key to Bob

– Bob decodes it, and now also knows the one-time session key

– Now Alice and Bob can communicate securely using R1

• Sneaky, huh?• The critical (and risky) part is that the KDC

knows everyone’s secret key




Aliceknows

R1

Bob knows to use R1 to

communicate with Alice

Alice and Bob communicate: using R1 as session key f or shared symmetric encryption

KDC generates

R1

KB-KDC(A,R1)

KA-KDC(A,B)

KA-KDC(R1, KB-KDC(A,R1) )Aliceknows

R1

Bob knows to use R1 to

communicate with Alice

Alice and Bob communicate: using R1 as session key f or shared symmetric encryption

KDC generates

R1

KB-KDC(A,R1)

KA-KDC(A,B)

KA-KDC(R1, KB-KDC(A,R1) )



Public Key Certification

• Public keys can be made available many places – Email signature lines, web pages, or put in a

public key server

• But if I tell you XYZ123 is my public key, how do you know it’s really mine, and not someone else’s?– That’s the role of public key certification – to

verify the identity of a public key47INFO 331 Chapter 8


Certification Authority (CA)

• A Certification Authority (CA) binds a public key to a particular person (entity)

• The CA’s rules are simple– A CA must use some means to verify a

person’s identity (the rules vary!)– The CA creates a digitally signed certificate

which binds the person to the public key

• The CA must have a public key which is well known (so they can’t be spoofed)




• Example of using a CA– If you order a pizza from Drexel Pizza over

email– They could see your public key at, say, the

bottom of your email message– They use the public key of the CA to verify

that really is YOUR public key– Once your public key is verified, the order

can be placed




• The ITU and IETF both have standards for certificate authorities– ITU X.509 and RFC 6170, respectively– Verisign is among the better known CAs



Authentication

• Authentication is proving your identity– Over a network, no one can tell if you’re you!

• Assume we’re dealing with live communication– A later issue is whether a message in the past

was really sent – the digital signature problem

• Here, authentication is done via messages (duh!) from an authentication protocol



Authentication

• The authentication protocol has to confirm the identities before communication occurs

• We’ll look at increasingly complex versions of an authentication protocol, “ap”, much like we did for TCP last term– Don’t worry, no finite state diagrams this time



Ap1.0

• The simplest way to authenticate is simply to self-identify– ‘I am Fred Smith’

• The obvious trouble is that there’s no assurance this is a true statement

• For that matter, you don’t know if it’s really the correct Fred Smith you meant to talk to



Ap2.0

• If the sender is using a known fixed IP address, we could authenticate by checking the datagram for that source IP address– Yes, this datagram is coming from 23.65.133.2– But this leads to the IP spoofing problem – changing a

datagram to show a different source IP than is true

• Good first hop routers will only send out datagrams with correct source IPs (RFC 3704)

– But this isn’t enforced



Ap3.0

• Ok, how about using a password to authenticate the user?– If the sender sends a password, it could be

intercepted, and later used to fraudulently authenticate a spy

– Many passwords (HTTP, Telnet, FTP) are sent in plain text, or are trivially encoded

• Sniffing packets on a server is an easy way to steal passwords



Ap3.1

• Um, so encrypt the password!– (Assuming a symmetric cipher is used)

• Nope, no good– A sniffer could record the cipher text of the

password, and replay it to log in (a playback attack)

– Even though the sniffer doesn’t learn what the password is, they can still impersonate the sender



Ap4.0

• Well, the problem was reusing the same password over and over – what if it’s unique?

• What if we have a sequence or set of passwords, and use each one only once?

• Use a nonce – a number used by the protocol only once EVER, like this– Sender sends message to receiver– Receiver chooses a nonce, R, and replies



Ap4.0

– Sender encrypts the nonce with a symmetric key, KA-B(R) and sends it back

– Receiver decrypts it– If the received message matches the nonce

sent, it’s accepted

• This works (yay!), but depends on having a symmetric key on both sides– See if we can improve on it…



Ap4.0

“I am Alice”

R

K (R)A-B

Alice is live, and only Alice knows key to encrypt

nonce, so it must be Alice!

“I am Alice”

R

K (R)A-B

K (R)A-B

Alice is live, and only Alice knows key to encrypt

nonce, so it must be Alice!

Sender Receiver



Ap5.0

• Can we achieve the good outcome of ap4.0 using public key encryption?

• Try this:– Sender sends message to receiver– Receiver chooses a nonce, R, and replies– Sender uses private key to encrypt the nonce,

and sends it back to receiver– Receiver uses sender’s public key to compute

R and authenticates the sender



Ap5.0

• So what’s wrong? Try this scenario– Thief sends message impersonating sender to

receiver– Receiver chooses nonce, R, and replies with it– Thief intercepts message, uses her private key to

encode the message, and sends it to receiver– Receiver asks sender for public key, but it’s

intercepted by the Thief, who sends their public key– Thief is authenticated as the sender!



Ap5.0

• The goodness of ap5.0 is limited by the availability of public keys

• Similarly, a man-in-the-middle or bucket brigade attack puts the Thief in the middle of the real conversation, unknown to either side– Worse, neither sender nor receiver will know

their content was seen by the Thief in the middle



Man-in-the-middle AttackI am Alice I am Alice

R

TK (R)

-

Send me your public key

TK

+A

K (R)-


AK

+

TK (m)+

Tm = K (K (m))+

T-

Trudy gets

sends m to Alice encrypted with

Alice’s public key

AK (m)+

Am = K (K (m))+

A-

R

I am Alice I am Alice

R

TK (R)

-T

K (R)-

K (R)-


TK

+T

K T

K +

AK (R)

-A

K (R)-

K (R)-


AK

+A

K A

K +

TK (m)+T

K (m)+

Tm = K (K (m))+

T-T

m = K (K (m))+T

-Trudy gets

sends m to Alice encrypted with

Alice’s public key

AK (m)+A

K (m)+

Am = K (K (m))+

A-A

m = K (K (m))+A

-

R



Firewalls

• Like the gateway on a castle, firewalls are designed to control entry into a network, and access out of it

• The amount of control a firewall can have is immense



Firewalls

• The goals of a firewall are generally– All traffic into and out of the organization must

pass through a firewall– Only authorized traffic will be allowed to pass– The firewall itself is immune to attack

• Firewalls are inherently paranoid– The default setting is to allow nothing in

or out!



Firewalls

• Firewalls fall in three categories – Packet filters (network level) – Stateful filters – Application gateways

• First look at packet filtering– Most organizations have a firewall at the

boundary to the public Internet (plus possibly others internally)



Firewalls

• Packet filters can look at each packet’s– Source and/or destination IP addresses– Type of protocol (transport or application)– Source and/or destination port number– TCP flag bits – SYN, ACK, etc.– ICMP message type

• Rules can vary for inbound vs outbound traffic, or for different router interfaces



Firewalls

• Any of these can be a basis for filtering rules– For example, block all outgoing Telnet or

FTP or HTTP traffic– Block UDP traffic to stop (some) streaming

media– Or exclude specific IP addresses from

these rules



Firewalls

• A sneaky trick is to block incoming TCP traffic with the ACK bit set to 0– This kills TCP connections originating from

the outside

• Another key issue is to be aware of the sequence in which packet filtering rules are applied– The first rule that applies to a packet

determines its fate – not all the rules!69INFO 331 Chapter 8


Firewalls

• Even a simple firewall (Cisco PIX 501, about $400) can control (see handout)– Which interfaces are active, and at what speeds– IP addresses allowed to take data in– IP addresses allowed to send data out– Which protocols are allowed to operate– Which ports are allowed for each protocol– Use of authentication servers (e.g. RADIUS)– If the firewall acts as an HTTP or DHCP server



Firewalls

– Use of a virtual private network (VPN), and what types of encryption are used (DES, 3DES, AES)

– IP addresses of the interfaces– Where NAT is running inside the network– SNMP server information

• Licensing issues include how many interfaces are active (2+), how many hosts can be connected (10, 50, or unlimited), allowable throughput, and whether VPN is available



Stateful Packet Filters

• Stateful filters track each TCP connection, and decide in the context of that connection how to apply filtering rules– Do so by creating a connection table with

each connection’s source and destination IP and port number

– An access control list can define the rules for allowable IP, port, transport protocol, flags, etc.



Application Gateway

• The other category of firewall is an application gateway– It’s a server which filters application data– Packet filters can’t filter by user, but an app

gateway can

• Can combine with packet filtering– Have packet filter only allow Telnet from the

app gateway, then have app gateway control which users can use Telnet



Application Gateway

• Can have separate app gateway servers for each app (HTTP, FTP, email, etc.)– Web cache & email servers are also

gateways

• Using an app gateway costs in lower app performance, plus the time needed for its configuration and maintenance

• Firewalls can be breached by wireless devices, or even dialup connections



Intrusion Detection Systems

• An IDS does deep packet inspection, looking at packet message contents instead of just headers– An IDS can be signature-based, where it

keeps a database of attack signatures for various forms of attack

– Or an anomaly-based IDS looks for statistically unusual packet patterns



Intrusion Detection Systems

• The network between a packet filter and an IDS can be called the DMZ (demilitarized zone)– Public web servers are typically inside

the DMZ

• Snort is an open source IDS



Network Attacks

• Many kinds of attacks on computer networks are possible– Can attack common operating systems– Can attack applications– Can attack the network itself

• We’ll focus on the latter– Disclaimer: Naturally this isn’t intended to be

a user’s guide to hacking, but is intended to help you be proactive to protect your network



Need 411

• Many attacks are preceded by gathering information– Same idea as ‘casing’ a future crime scene,

scouting, reconnaissance, etc.– Here we call it mapping

• Mapping is often to determine the IP addresses of hosts on the network, the type of OS’ used, and types of services offered



Mapping

• Ping can be used to find IP addresses

• Port scanning is done by trying to send TCP connection requests or UDP packets to every possible port number, and see which ones are active– Nmap is a free, open source, network

mapping utility which uses WinPcap– Many firewalls look for port scanners, and

report their presence to a network manager79INFO 331 Chapter 8


Packet Sniffing

• A packet sniffer receives all packets coming into or leaving a host– Promiscuous mode

allows it to receive all passing frames

– Unencrypted user names and passwords can be found this way

No, packet sniffing!



Packet Sniffing

• To detect Packet Sniffing, need to detect network interfaces (NICs) that are in promiscuous mode

• One way is to send ICMP Echo Request messages to all hosts, with a correct IP address, but wrong MAC address– Hosts that Reply are likely to be in

promiscuous mode

• Encrypt data when sniffing may be present



Spoofing

• IP Spoofing is deliberately changing the IP address a datagram claims to be from

• This is used to hide the true source of an attack, such as denial-of-service

• Spoofing is preventable with ingress filtering– Have a router check to see if the packet came from

the correct interface to have come from the claimed source IP address

– Still, not very powerful if router has few interfaces



Denial-of-Service (DoS)

• A herd of attacks fall under Denial-of-Service (DoS) or distributed DoS (DDoS) types

• Main purpose is to prevent real users from getting to a network or web site

• A SYN flooding attack sends many TCP SYN packets with spoofed IP addresses to a server– The server completes the second step of the

handshake, and allocates resources for the connection



Denial-of-Service (DoS)

– The server runs out of resources, and crashes

• A variation of this is to send incomplete TCP fragments to a server, who will dutifully keep them in the hope of completing the segment– The final packet never arrives, but the server keeps

the fragments until it runs out of storage

• A smurf attack gets a lot of innocent hosts to respond to ICMP Echo Request messages– They all reply to a server whose IP was spoofed



Distributed DoS

• Sneakier yet is the distributed DoS attack– A master attacker gains access to many unsuspecting

hosts (e.g. via password sniffing)– The master installs a DoS application on each

slave host– When a signal is sent, all of the slaves start a DoS

attack against the same server

• Since many hosts are involved in the attack, it’s very difficult to defend against this



Hijacking

• Hijacking a connection means you take over one side of it, without the other side being aware of the subterfuge– An attacker monitors a connection to find out ACK

and sequence numbers, IP addresses, etc.– They DoS attack one sender to keep them from

responding, and start communicating with the other sender in place of the original host

• The other sender may not be able to tell someone else is present!



Case Studies

• All of the top four layers of protocols (App, Transport, Network, Link) can provide security to varying degrees– All layers above the secure one benefit from

its security– Higher layer security needed for user-level

protection; lower layers harder to implement

• We’ll look at case studies in each layer– E-mail, SSL, IPsec, and 802.11



Case Study: Secure E-mail

• What features might we want from secure email?– Confidentiality – only sender and receiver can

see the contents– Sender authentication – verify sender’s

identity– Message integrity – to know it wasn’t changed– Receiver authentication

• So how can we provide these features?




• Confidentiality could be done with symmetric key encryption (DES or AES), but distribution of a symmetric key is hard

• Could use public key encryption– Makes the key exchange easier– Bad for long messages, though– Could use the symmetric-public trick from

earlier – send the symmetric key using public key encryption, then converse using symmetric key




• Now ignore confidentiality for a moment, and consider sender authentication and message integrity– Sender applies a hash function (MD5) to a

message, and signs it with their private key– Receiver applies sender’s public key, and

compares the received hash value with that generated locally

– This accomplishes both desired functions




• Now combine the two approaches– Sender generates a hash of their message

and applies their private key to the hash– The hash + message then has their

symmetric key applied– Receiver gets the message, undoes the

symmetric encryption, applies the sender’s public key to recover the sent hash, and compares to the locally generated hash

• Easy, huh?




• So to provide secure email we’re using three technologies– Hash functions & digital signatures– Symmetric key crypto– Public key crypto

• Does it work? Yup! – And it has since 1991



Pretty Good Privacy (PGP)

• PGP was created in 1991 by Phil Zimmermann– Free versions are available, or you can buy

fancier versions– It uses the approach outlined on slide 81

• Messages can be digitally signed, encrypted, or both– And it can throw in data compression, too




• How does it do it?– The message digest is created with MD5 or SHA – Symmetric key crypto is done using CAST, 3DES, or

IDEA – Public key crypto is done with RSA

• PGP creates a public key for each user, and protects their private key with a password

• Public keys can be kept on a server, your web site, or attached to messages




• Key certification is done partially by mutual assurance– A user can certify a user/key combination– Some have mutual key signing parties

(yippee)

• But most people advertise their public keys via email or personal web sites



Secure Sockets Layer (SSL)

• Secure Sockets Layer provide security at the transport layer (TCP)

• Secure business transactions (stock trades, finance, etc.) are a key motivation– Otherwise sensitive info could be stolen, or a

false storefront could trick real customers

• SSL was created by Netscape to provide encryption and authentication between a web browser and a web server




• SSL starts with a handshake phase to negotiate which crypto algorithm will be used (DES, IDEA, etc.), and authenticates the server to the client– During the session, all data is encrypted using

keys negotiated during handshake

• SSL 3.0 is the basis for the Transport Layer Security (TLS) protocol, RFC 5246




• SSL sits between the transport and application layers, and can be used for many kinds of apps (email, etc.)

• From the sending side, SSL– Takes app data, encrypts it, and sends it to

a TCP socket

• From the receiving side, SSL– Reads from a socket (port), decrypts it, and

sends it to the application at that end




• SSL provides:– SSL server authentication – is this really the

server I think it is? Done via Certificate Authorities (CA) and public keys

– SSL client authentication – likewise prove the client is who they say they are

– Encrypted SSL sessions – in which all data between client and server is encrypted




• A web page on an SSL-enabled server is addressed by https instead of http

• The web browser has a list of CAs and their public keys

• We’re going to use the public key – to exchange symmetric keys trick again

• So how does the handshake work?– Ok, this is a Reader’s Digest version of it…



SSL Handshake

• Browser sends server their SSL version and symmetric crypto preferences

• Server sends browser their version, preferences, & certificate with RSA public key

• Browser checks certificate against list– If it’s not on the list, user is warned– If it is on the list, the CA’s public key is used

to validate the certificate and get their public key



SSL Handshake

• Browser generates a symmetric session key, encrypts it with server’s public key, and sends to server

• Browser warns server all future messages will use the symmetric session key

• Server tells browser the same thing

• Handshake is done, and session begins



SSL Limitations

• SSL is widely used for credit card purchases, but it wasn’t designed for that purpose

• One could obtain a CA for a business that has nothing to sell, and no certificate authority could block it from getting a certificate– A certificate just proves you really are XYZ

Corporation, not whether XYZ Corp is reputable or trustworthy!



IPsec

• The IP security protocol, IPsec, is a suite of protocols at the network layer– It’s described in over a dozen RFCs, mainly

RFC 4301– Often used for Virtual Private Networks

(VPNs)

• We want network-layer confidentiality– All datagrams have encrypted data– Any encryption method could be used



IPsec

– Data could include TCP or UDP segments, ICMP messages, etc.

– If everyone provided network-layer confidentiality, anyone tapping the network would see only gibberish

• We also might want source authentication– This would verify the source of a datagram

really sent it, thereby defeating spoofing IP addresses



IPsec

• IPsec offers two levels of service (RFC 7321)– Authentication Header (AH) protocol

• The AH protocol provides source authentication and data integrity, but no confidentiality

– Encapsulated Security Payload (ESP) protocol

• The ESP protocol provides all three (source authentication, data integrity, confidentiality)

• Hence ESP is more processing-intensive



Security Association (SA)

• Both AH and ESP first establish a logical channel using a Security Association (SA)

• Recall a normal IP connection has no state information

• An SA defines a logical connection between hosts– SA is simplex (one-way)– For traffic to flow both directions,

make two SAs



Security Association (SA)

• An SA is defined by– Security protocol identifier (AH or ESP)– Source IP address– 32-bit connection identifier, the Security

Parameter Index (SPI)

• A given SA connection will use the same SPI value in all of its datagrams– Store SA info in Security Association

Database (SAD) in the OS kernel108INFO 331 Chapter 8


Authentication Header (AH)

• Once an SA is established, a host can send secure datagrams to the other host

• To use AH, a special header is inserted between the normal IP header and the TCP or UDP segment– The IP header has protocol field #51

• Routers handling AH traffic only see that protocol field – the rest is ignored by them

I P header data (e.g., TCP, UDP segment)AH headerI P header data (e.g., TCP, UDP segment)AH header




• The AH header has these key fields:– Next Header, which is the IP protocol field– SPI value for this connection– Sequence number – unlike the TCP sequence

number, this is 0 to start and is tracked separately from the TCP field

– Authentication Data field, which contains a message digest (digital signature) for this datagram




• The message digest is calculated for the IP header and the TCP/UDP segment, ensuring host authentication– It’s computed using the usual algorithms -

MD5, SHA, etc.– These algorithms are a.k.a. Hashed Message

Authentication Codes (HMAC, RFC 2404)

• When the receiving host gets a datagram with an AH header, it determines the SA and processes the authentication field



AH and ESP

• After authentication, AH uses the TCP or UDP segment as is (no encryption was used)

• ESP also starts with an SA connection

• ESP surrounds the original IP datagram with both headers and trailers

I P header TCP/ UDP segmentESP

headerESP

trailerESP

authent.

encryptedauthenticated

I P header TCP/ UDP segmentESP

headerESP

trailerESP

trailerESP

authent.ESP

authent.

encryptedauthenticated



ESP

• For ESP, IP protocol field 50 is used

• The original segment and ESP trailer are encrypted using DES-CBC (RFC 2405)

• The ESP header has– 32-bit SPI field– 32-bit sequence number– Same roles as in AH



ESP

• The ESP trailer has– Next Header– Authentication Data field– Again, same roles as in AH

• The optional ESP Authentication field is – “… a variable-length field containing an

Integrity Check Value (ICV) computed over the ESP packet minus the Authentication Data. ”



SAD and SPD

• When a router receives an unsecured datagram, how does it know it’s okay to encrypt it? And if so, according to which SA?– The Security Policy Database (SPD) knows

what types of datagrams are to receive IPsec, and which SA is appropriate for each



Key Mgmt: IKE and ISAKMP

• In order for IPsec to be widely used, key management has to be automated and reliable– Internet Key Exchange (IKE) does this for IPsec– RFC 7296

• Somewhat related, the Internet Security Association and Key Management Protocol (ISAKMP) defines how SA’s are established and torn down (RFC 4945)



Security in 802.11

• Since wireless access points are omni-directional, security is a big concern (or should be!)

• Only one of these was my network!



WEP

• The basic level of 802.11 security for authentication and encryption is Wired Equivalent Privacy (WEP)

• WEP uses a symmetric shared key

• WEP doesn’t specify how the key is shared



WEP Authentication

• WEP authenticates a host like this:– Host requests authentication by an AP– AP responds with a 128-bit nonce value – Host encrypts the nonce with its symmetric

key– AP decrypts the host-encrypted nonce

• If it matches the value sent by the AP, the host is authenticated



WEP Encryption

• WEP encrypts data using a 40-bit secret symmetric key– Each frame also gets a different 24-bit

Initialization Vector (IV), for a total of 64 bits

• Encryption works like this:– Find a 4-byte CRC value for the data– Use RC4 to encrypt the (data plus CRC code)– The IV value for this frame is in plain text in

the 802.11 frame header



WEP Encryption

• Receiver of the data:– Takes the IV value, appends it to the known

40-bit secret symmetric key, and decrypts the frame

– Then the CRC check can verify data integrity

• RC4 is deliberately a weak code, so that it can pass US export regulations

• For RC4 to work reliably, it can never use the same 64-bit key



WEP Encryption

• But 40 bits of the key are rarely changing (if ever), so each key is only unique for 2^24 IV values

• If IV is chosen randomly, a duplicate key is 99% likely after only 12,000 frames– If a duplicate keyed message is intercepted, a

spoofed IP listener can decrypt the entire message, and determine what the secret key was

• WEP has many documented weaknesses



802.11i

• 802.11i was approved in 2004 to improve wireless security– Wi-Fi Protected Access (WPA) is a subset of it

• 802.11i provides a set of security options called Robust Security Network Association (RSNA) security

• It also manages keys, and has an authentication server separate from the access point



802.11i Phases of OperationAP: access point AS:

Authenticationserver

wirednetwork

STA:client station

1 Discovery ofsecurity capabilities

3

STA and AS mutually authenticate, togethergenerate Master Key (MK). AP servers as “pass through”

2

3 STA derivesPairwise Master

Key (PMK)

AS derivessame PMK, sends to AP

4 STA, AP use PMK to derive Temporal Key (TK) used for message

encryption, integrity

AP: access point AS:Authentication

server

wirednetwork

STA:client station



33

STA and AS mutually authenticate, togethergenerate Master Key (MK). AP servers as “pass through”

22

33 STA derivesPairwise Master

Key (PMK)

AS derivessame PMK, sends to AP







802.11i

• 802.11i, and advanced encryption such as AES

• It uses the Extensible Authentication Protocol (EAP, RFC 3748)– It can use RADIUS (and soon, DIAMETER)

authentication between AP and authentication server

– Between wireless host and AP it can use EAP over LAN (EAPoL, IEEE 802.1X)



Summary

• So we’ve looked at the basics of:– Secure communication principles– Encryption (cryptography), such as DES and RSA– Authentication – Digital signatures and message digests– Key distribution methods

• And examples of how these technologies are used within each network layer: email, SSL, IPsec, and 802.11


www.ischool.drexel.edu info 331 computer networking technology ii chapter 8 security dr. jennifer...

Documents